CertiK, the smart contract security firm, continues to claim its actions against the Kraken exchange were ethical and that it was trying to estimate the full scope of security flaws. The testers also claim they returned all the funds in kind and have not extorted Kraken.
The CertiK team developed a new statement to refute some previous Kraken claims. The testers denied demands for a bounty, stating their priority was to fix the vulnerability of being able to print funds into an account.
Read: Kraken recovers $3M as criticism mounts against Certik
All the withdrawn funds came from Kraken’s cold wallets, and no user accounts were affected. The coins were returned based on CertiK’s own calculations and transaction records.
Q&A to recent CertiK-Kraken whitehat operations: 1. Did any real user lose fund?No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.2. Have we refused to return the funds?No. In our communication with…
— CertiK (@CertiK) June 20, 2024
The most controversial action of CertiK included records of sending some funds to Tornado Cash. The coin mixer has faced previous sanctions from the US Treasury Department, which banned persons domiciled in the USA from interacting with it.
CertiK is well aware of the use of Tornado Cash and included the transfers as proof of its exploit. Previously, CertiK has also tracked Tornado Cash usage as part of older exploits. One of Certik’s chief focuses remains the auditing of smart contracts, which often contain similar logic flaws leading to unlimited token creation.
CertiK’s approach to ethical hacking unnerved observers, as small sums were sent directly to Tornado Cash to test the exploit. Some steps in the Kraken testing process were leaked on social media before Kraken finally notified it of the actual size of the exploit.
The issue of a bug bounty has not been discussed, but CertiK keeps claiming it did not require a bounty to return the funds. So far, Kraken’s security team has not announced any bounty for CertiK.
Kraken admits to receiving all funds
CertiK generated balances on the centralized Kraken platform and performed withdrawals on behalf of those accounts.
Kraken’s claims that CertiK was inaccurate in its returns were the most controversial. However, this was refuted a few days later. Kraken’s Chief Security Officer Nick Percoco announced that the funds were fully returned minus transaction fees.
Update: We can now confirm the funds have been returned (minus a small amount lost to fees). https://t.co/cHkjPt3m2A
— Nick Percoco (@c7five) June 20, 2024
CertiK’s accounting reported withdrawals of only ETH, USDT and XMR, while Kraken also claimed 155,818.44 MATIC were also withdrawn and mixed. The withdrawals were estimated at around $3M, though Certik used a small sum to prove the exploit.
Further analysis of the exploit showed that CertiK generated non-existing MATIC balances, but the transactions failed, and no funds left the Kraken cold wallets. The MATIC generated was just an internal exploit that did not result in the transfer of real Polygon tokens.
#Certik : At first glance, it seems that Certik's exploit consists of:1. Creating a contract & depositing funds into it2. Generating the LogFeeTransfer() event3. @krakenfx scans LogFeeTransfer() on its deposit addresses and doesn't seem to verify if the MATIC are really there pic.twitter.com/QI4bdXJdbz
— Naïm Boubziz (@BrutalTrade) June 20, 2024
In some cases, the presence of funds can be simulated, as other protocols have been attacked with flash loans.
CertiK asserted that exploits picked up again in June, with more than $30M taken from apps and protocols. The count does not include attacks against individual wallets.
Tornado Cash is still operational years after the sanctions
The Tornado Cash mixer is still facilitating exploits, as funds are untraceable after moving through the mixer. Even after blacklisting wallets and addresses, there is nothing preventing hackers from mixing ETH and sending it to new unknown wallets.
Also read: Group behind the Tornado Cash lawsuit loses to the US Treasury
Since 2022, Tornado Cash has had limited resources, but the service is still operational.
The founder of Tornado Cash, Alexey Pertsev, received a sentencing in May 2024, with potential years behind bars. Yet the sanctions and bans do not prevent anyone from using the mixer, which does not affect jurisdictions outside the USA.
Some coins, like USDC, have blacklisted all Tornado Cash contracts. Any funds sent to the contract cannot be recovered again. USDC is also known for its centralized ability to freeze coins. For Kraken, the ability to withdraw to a Tornado Cash contract address was also a major vulnerability. Most token producers choose not to exercise control over tokens, leaving them vulnerable to theft and irrecoverable through mixing.
Cryptopolitan reporting by Hristina Vasileva